Using Sophos Connect VPN Client

Hey everyone,

I wanted to highlight one of the features listed in XG v17.5 - Sophos Connect. Sophos Connect is a new IPsec VPN client, included with XG v17.5. This is a preview release, where we decided to make the client available now, before we've made all of the XG improvements we are planning. The client, as it stands now, is a cross platform (Windows and Mac) IPsec client with a simple user interface, and a compelling set of features, that are finished, and available for use now. We didn't want to sit on that while waiting for the rest of our plans to be completed, so we decided to get that out to you sooner, even though the total admin user experience still needs a few significant improvements. 

In XG, you'll notice that the Cisco VPN tab under VPN, has been re-named Sophos Connect, and now offers a download for the new IPsec clients and admin utility. While you can create a split tunnel remote access policy on the IPsec tab, this doesn't yet offer a client IP range. So clients will connect and communicate over the tunnel, using whatever IP they are using locally, on the network they're in. While this might work in some cases, it runs into problems, as soon as your users are connected from a subnet that conflicts with a network being accessed over the tunnel. Having visited a hotel or two that gave out addresses in massive 10.0.0.0/8 subnet ranges, the possibility of a conflict using that configuration is pretty significant. Meanwhile, the feature originally built to work with the now-antiquated Cisco IPsec VPN client solves this, and does offer a client IP range, but doesn't allow you to configure a split tunnel. Since the Cisco client is pretty outdated now, we decided to re-purpose that feature for now, and use it as the preferred method for configuring Sophos Connect. 

This makes for a more robust configuration, but the policy generated by that feature, only offers a full-tunnel. While that may be enough in some cases, most of you are looking for a VPN client that allows split tunneling. The tunnel will support split tunneling, but the UI doesn't yet offer that capability. We could slap in the feature, but we also want to move to a more modern method of pushing policy from the firewall when the tunnel connects, rather than leaving all of that up to the config file. So for now, we've taken a short-cut, (this is an early access release after all :) ) and provided a simple policy editor utility. This also let us expose some of the other great features Sophos Connect offers, like the ability to send Security Heartbeats over the tunnel, or an auto-connect when remote capability. 

Ultimately, we will resolve these limits in XG directly, but for the time being, Sophos Connect Admin will let you customize your policies then deploy them to your users.  It's a temporary solution needed to let you use these features, until we can add them into the firewall itself, and one of the big reasons this client will remain as a long term early access release, after 17.5 goes to GA. 

The client is free, and will remain free in the future, and is available to download from within XG today. The client is now available for early access, so we look forward to your testing and feedback. At the end of the XG EAP, the client code should also be considered at a GA quality at that time, but because of the limits I mentioned earlier, we'll continue to offer it as a longer term EAP release, until some time mid next year. 

The download is in the firewall now, under VPN > Sophos Connect client. Also, if you've just updated to v17.5, be sure the firewall has downloaded the client, under Backup & Firmware > Pattern updates, before you try to grab a copy. The package you'll get from the firewall will contain three programs. Sophos Connect for Windows, Sophos Connect for Mac, and Sophos Connect Admin, which is only available for windows. 

You can find instructions in installing and troubleshooting the client, here: https://docs.sophos.com/nsg/sophos-connect/help/en-us/nsg/scon/concepts/AboutSophosConnect.html

Looking forward to your feedback, and happy testing!



Tags
[edited by: FloSupport at 7:15 PM (GMT -7) on 28 Sep 2020]
  • Would the current Sophos SSL VPN Client be headed for deprecation in favor of the new Sophos Connect IPSec client at some point following EAP completion or will development continue on both as separate ssl vs ipsec solutions?  Main concerns here with the current SSL client for roaming employee usage that I was wondering if may be addressed in the new client have been lack of a start before logon option on Windows (processing group policy, expired passwords, & credentials sync between the local profile and domain at Windows logon is beneficial in our AD environment for various reasons) and no deployment method IT staff could initiate centrally (users needing to authenticate in the xg portal to get the client + unique certificate combined with lack of technical ability or admin rights on their computers makes large scale deployment complicated).  A few others mentioned these points @ https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/20494468-ssl-vpn-before-authentication & https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/11195709-ssl-vpn-client-for-mass-deployment  - If we're moving a few hundred users from another vendor's vpn solution to XG in the near future, which Sophos client would make the most sense to focus our test efforts on? Thanks for all the work and good news.

  • This VPN Client is installing a Webserver to display the GUI and Logs... Why? It looks like a kind of blowware...

    Please send me Spam gueselkuebel@sg-utm.also-solutions.ch

  • When I open the configure file with Sophos Connect Admin, alter it and try to save and convert it, I get the following error:

     

    Informationen über das Aufrufen von JIT-Debuggen
    anstelle dieses Dialogfelds finden Sie am Ende dieser Meldung.

    ************** Ausnahmetext **************
    System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
       bei SophosConnectAdmin.MainForm.SaveSCX(String Filename)
       bei SophosConnectAdmin.MainForm.DialogSaveSCX()
       bei System.Windows.Forms.LinkLabel.OnLinkClicked(LinkLabelLinkClickedEventArgs e)
       bei System.Windows.Forms.LinkLabel.OnMouseUp(MouseEventArgs e)
       bei System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
       bei System.Windows.Forms.Control.WndProc(Message& m)
       bei System.Windows.Forms.Label.WndProc(Message& m)
       bei System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


    ************** Geladene Assemblys **************
    mscorlib
        Assembly-Version: 4.0.0.0.
        Win32-Version: 4.7.3190.0 built by: NET472REL1LAST_C.
        CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll.
    ----------------------------------------
    scadmin
        Assembly-Version: 1.0.49.1016.
        Win32-Version: 1.0.49.1016.
        CodeBase: file:///C:/Program%20Files%20(x86)/Sophos/ConnectAdmin/scadmin.exe.
    ----------------------------------------
    Microsoft.VisualBasic
        Assembly-Version: 10.0.0.0.
        Win32-Version: 14.7.3056.0 built by: NET472REL1.
        CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Microsoft.VisualBasic/v4.0_10.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualBasic.dll.
    ----------------------------------------
    System
        Assembly-Version: 4.0.0.0.
        Win32-Version: 4.7.3190.0 built by: NET472REL1LAST_C.
        CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll.
    ----------------------------------------
    System.Core
        Assembly-Version: 4.0.0.0.
        Win32-Version: 4.7.3190.0 built by: NET472REL1LAST_C.
        CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll.
    ----------------------------------------
    System.Windows.Forms
        Assembly-Version: 4.0.0.0.
        Win32-Version: 4.7.3056.0 built by: NET472REL1.
        CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll.
    ----------------------------------------
    System.Drawing
        Assembly-Version: 4.0.0.0.
        Win32-Version: 4.7.3056.0 built by: NET472REL1.
        CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll.
    ----------------------------------------
    System.Configuration
        Assembly-Version: 4.0.0.0.
        Win32-Version: 4.7.3056.0 built by: NET472REL1.
        CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll.
    ----------------------------------------
    System.Xml
        Assembly-Version: 4.0.0.0.
        Win32-Version: 4.7.3056.0 built by: NET472REL1.
        CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll.
    ----------------------------------------
    System.Runtime.Remoting
        Assembly-Version: 4.0.0.0.
        Win32-Version: 4.7.3056.0 built by: NET472REL1.
        CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Runtime.Remoting/v4.0_4.0.0.0__b77a5c561934e089/System.Runtime.Remoting.dll.
    ----------------------------------------
    mscorlib.resources
        Assembly-Version: 4.0.0.0.
        Win32-Version: 4.7.3056.0 built by: NET472REL1.
        CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/mscorlib.resources/v4.0_4.0.0.0_de_b77a5c561934e089/mscorlib.resources.dll.
    ----------------------------------------
    System.Web.Extensions
        Assembly-Version: 4.0.0.0.
        Win32-Version: 4.7.3160.0.
        CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Web.Extensions/v4.0_4.0.0.0__31bf3856ad364e35/System.Web.Extensions.dll.
    ----------------------------------------
    System.Web
        Assembly-Version: 4.0.0.0.
        Win32-Version: 4.7.3160.0 built by: NET472REL1LAST_C.
        CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_64/System.Web/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Web.dll.
    ----------------------------------------
    System.Windows.Forms.resources
        Assembly-Version: 4.0.0.0.
        Win32-Version: 4.7.3056.0 built by: NET472REL1.
        CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms.resources/v4.0_4.0.0.0_de_b77a5c561934e089/System.Windows.Forms.resources.dll.
    ----------------------------------------

    ************** JIT-Debuggen **************
    Um das JIT-Debuggen (Just-In-Time) zu aktivieren, muss in der
    Konfigurationsdatei der Anwendung oder des Computers
    (machine.config) der jitDebugging-Wert im Abschnitt system.windows.forms festgelegt werden.
    Die Anwendung muss mit aktiviertem Debuggen kompiliert werden.

    Zum Beispiel:

    <configuration>
        <system.windows.forms jitDebugging="true" />
    </configuration>

    Wenn das JIT-Debuggen aktiviert ist, werden alle nicht behandelten
    Ausnahmen an den JIT-Debugger gesendet, der auf dem
    Computer registriert ist, und nicht in diesem Dialogfeld behandelt.

     

    Any ideas what could be the problem?

    Kind Regards

    Bjoern

  • Hi All

    Tested Sophos Connect Client on both MAC and PC  and they working fine ....

    Best Regards,

    Vishvas

  • momentum said:
    Would the current Sophos SSL VPN Client be headed for deprecation

    No plans for that currently, but in a future feature update of Sophos Connect, we plan to make it a multi-protocol client, able to connect using either IPsec or SSL, auto-selecting the best protocol for use. 

    Start before logon is not targeted in this release. The client is built to be mass deployable, where the same client installer and even the same policy can be pushed to everyone. Currently the policy install is not as optimized as we want, but there is a command line API for the client, allowing the policy to be pushed automatically.

    As for which client to choose in the near future, if IPsec is enough for you, then by all means, look at using Sophos Connect. 

  • Thanks for reporting Bjoern,

    any chance you can share the config file you're using? I'll PM you my email address, if you are able to. 

  • HuberChristian said:
    This VPN Client is installing a Webserver to display the GUI and Logs... Why?

    We have a small team of developers writing cross-platform code. We take every path we can, to make the code portable between multiple platforms, and the architecture used in this application helps to minimize the unique code we would need to write for either platform. 

  • Hello,

    Am downloading the 17.5-Beta2 update to look at currently.

     

    But does the new Sophos Connect have MS-Gina support (connect before Logon) so a Windows client can process drive mappings, group policy and Login scripts?

    Otherwise still looking at using the Green Bow IPSec Client, or loosing out to Fortigate still.

     

    Regards

    Gaivn

     

    Regards,

    Gavin Daniels. DipIT(Networking)

     

     
  • GavinDaniels said:
    But does the new Sophos Connect have MS-Gina support (connect before Logon)

    No, not yet. That is a target feature, but we won't have it in the client for a while. 

  • Hi,

    where can i dowload the client, theres no option for me to download neither in the user portal.

    :)

    Regards

     

    P.S. sucessfull installed and using 17.5